2014-08-12 10:36 GMT+02:00 Stefan Seifert <sseif...@pro-vision.de>: > if the tenant-specific scripts are allowed to get an admin session, they > cannot only access scripts of other tenants, but all their content as well, > which is i suppose much more problematic than accessing the custom scripts. > you can effectively steal all content of all other tenants of the same > instance. > > so, it's difficult to use the current architecture for a tenant model > where the deployed scripts have to be considered "unsafe" and the tenants > cannot not trust each other. i think it would be possible to extend the > sling API with ways to prevent getting an admin session via configuration, > but is this still save when accessing JCR API directly, or other services > running in the OSGi context which may expose administrative access to other > parts as well. > > Yes, right - now the replacement for loginAdministrative can prevent this if loginAdministrative is not working anymore (throws an exception). And as you note this also depends on the use case, if you can trust the per tenant scripts than this is fine.
Carsten -- Carsten Ziegeler Adobe Research Switzerland cziege...@apache.org
